Are you a spammer

Please note, that the first 3 posts you make, will need to be approved by a forum Administrator or Moderator before they are publicly viewable.
Each application to join this forum is checked at the Stop Forum Spam website. If the email or IP address appears there when checked, you will not be allowed to join this forum.
If you get past this check and post spam on this forum, your posts will be immediately deleted and your account inactivated.You will then be banned and your IP will be submitted to your ISP, notifying them of your spamming. So your spam links will only be seen for an hour or two at most. In other words, don't waste your time and ours.

This forum is for the use and enjoyment of the members and visitors looking to learn about and share information regarding the topics listed. It is not a free-for-all advertising venue. Your time would be better spent pursuing legitimate avenues of promoting your websites.

Secure Remote Desktop with SSH FreeNX & DD-WRT

Post your How to's here


Secure Remote Desktop with SSH FreeNX & DD-WRT

Postby 2hot6ft2 » Wed Apr 28, 2010 3:41 pm

For a Secure Remote Desktop on Ultimate Edition 2.5 here is how I did it using OpenSSH, FreeNX and a router with DD-WRT v24.
Note: Your router does NOT have to be running DD-WRT to do this. Mine is so I am including the instructions for it.

Pic of it in use at bottom of post, transferring a file and remote desktop at the same time.

For the purposes of this guide I will use a Desktop as the Server (Host) which is at home.
The Client will be a Laptop that I can use to control the Desktop remotely.

First you should already be familiar with the Terminal which is where you enter commands (anything in a "Code:" box). In Ubuntu it is in
Applications > Accessories > Terminal
In Kubuntu it is usually on the lower left taskbar and is called Konsole
I am using Ubuntu so you may have to make some adjustments to this guide if you are not using Ubuntu.

Installing OpenSSH (for the rest of this guide I will refer to it as only SSH)

Installing the Server on the Desktop (Host)
Code: Select all
sudo apt-get update

then
Code: Select all
sudo apt-get install openssh-server

then we want to backup the original configuration file and protect it from being overwritten with
Code: Select all
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original

and
Code: Select all
sudo chmod a-w /etc/ssh/sshd_config.original

Choosing a port other than the default port number 22. You can use just about any port number but it's best to stay away from commonly used ports something between 1024 and 65536, but between 49151 and 65536 is usually better. I recommend AGAINST using 2222 or 8888 like the guides use as "examples". You can find more info on ports at these links among others:
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
http://www.iana.org/assignments/port-numbers
http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html.

Once you have chosen a port to use. To change the default port from 22 to another port number open the config file using
Code: Select all
gksu gedit /etc/ssh/sshd_config

Find the line that says:
#Port 22

change the 22 to the port number you decided to use and uncomment it by removing the "#" so it will look like
Port 22

but with your port number.
There are other things to be changed in this file later, but for right now the idea is to get it up and running, then we can tweak it and secure it better so click on Save and close it.
Restart the server using
Code: Select all
sudo /etc/init.d/ssh restart

You can replace "restart" with "stop" or "start" if you want to stop or start the SSH server. Stopping it when it's not going to be used is a good idea, you can always start it again.


Installing the Client on the Laptop
Code: Select all
sudo apt-get update

then
Code: Select all
sudo apt-get install openssh-client

then to change the port on the Client to the same as the Host run
Code: Select all
gksu gedit /etc/ssh/ssh_config

Find the line that says:
#Port 22

change the 22 to the port number you decided to use and remove the "#" so it will look like
Port 22

but with your port number.
---------------
Both host and client config files will need to be changed so edit both to the same port #.

sshd_config is the configuration file for the SSH Server (Host) (/etc/ssh/sshd_config).
ssh_config is the configuration file for the SSH Client (/etc/ssh/ssh_config).
Make sure you don't get them mixed up.
---------------

Static IP Address for the server & port forwarding

While I am using a router with dd-wrt firmware and have included the instructions for it. It is not required as long as you can set port forwarding and static IP Addresses in your routers configuration to accomplish the same thing.
Also dd-wrt has the DDNS option which is used in case my ISP changes my public IP Address so I can still connect from outside my LAN. If your router doesn't have that option you can get a client to install on your server from the DYDNS service when you sign up which is later in this how to.

This would be a good time to give your server (host) and Client static IP addresses using your router. You should already know how to access your routers configuration since you set up your network and put dd-wrt on it.
You can find out the servers MAC Address of the adapter (it will be like xx:xx:xx:xx:xx:xx where the x's are leters and numbers), and its current IP address by opening a Terminal and putting in:
Code: Select all
ifconfig

Do the same with the Client.

In DD-WRT v24 you would go to Services > Services > Static Leases and click on Add (twice if you are going to give them both static IP Addresses), this will open 3 boxes for each (server and client) where you can put your adapters
"MAC Address - A description or name like Server or Client (no spaces allowed) - IP Address you want the adapter to have"

More info and a guide here: http://www.dd-wrt.com/wiki/index.php/Static_DHCP
Be sure to set your static IPs outside of your automatic DHCP address range (see the above guide).
Click on "Apply Changes" at the bottom of the page to make it take effect immediately. The router will reboot itself and the changes will be in effect. So wait for it to reboot.

While you're in the routers configuration you can also set a "port forward" if you plan on accessing your server (host) from outside your LAN (Local Area Network). In other words from the Internet by going to NAT/QoS > Port Forwarding, enable it and put in your info consisting of:
A name (whatever you want)
Port From (the port you will use in the Client for when you want to connect to the server from outside your LAN)
Protocol (Both, TCP is needed, I'm not sure if UDP is)
IP Address (the static IP Address you just assigned to your server (host) above)
Port To (the port # you set SSH to on your server (host))
Tick the box to Enable

Click on "Apply Changes" at the bottom of the page to make it take effect immediately. The router will reboot itself and the changes will be in effect. Again wait for it to reboot.
Port forwarding guide here: http://www.dd-wrt.com/wiki/index.php/Port_Forwarding
You can have and save profiles so one for the LAN and one for accessing it from outside the LAN is simple so you don't have to use the same port # as SSH.


Firewall, Opening a port

A rule should be added to the servers firewall to allow connections to the servers port. I'm using firestarter, if you're using something else the see the documentation for the one you're using. If using Firestarter open it.
System > Administration > Firestarter

The Staus tab should show it as active
Click on the Policy tab, then left click in the bottom box, then on the + sign.
Here you can enter a Name or use the drop down
Change the port # to the one you setup SSH to use.
And choose who can connect to it. You can choose from Everyone, LAN only, a specific IP Address, or IP Addresses.
You can set it to the IP Address of your client for now (if you want) while configuring things and change it later so you'll be able to connect to it from anywhere.
Click Add, then the Check mark to apply the settings then you can close it.

Connecting for the first time

If you want to easily be able to tell if you made it to the server make a file (an empty text file) in the home folder on the server so you'll know you're looking at that folder and not the one on the client. Name it something unique MADE-IT or WhoooHooo. Whatever, you pick a name you can delete the file anytime you want later.
Use this to connect to the server (changing the port from 22 to what you made it and the IP Address to the one you gave the server):
Code: Select all
ssh -p 22 192.168.?.???

If you put in a password earlier then it will ask for it so enter it and hit Enter.
Once it connects use
Code: Select all
ls

That's a lower case LS and it will list the files in the servers home folder and you should see the file you made (MADE-IT, WhoooHooo or whatever).

If everything looks good then congratulations you have an active SSH Server and Client working. If not go back thru and see what's wrong. This is far from secure at this point. So next we want to secure it.


Passwords and Keys

You should really read this page
http://help.ubuntu.com/community/SSH/OpenSSH/Keys
since I'm not going to reproduce it all here since it's very good.
Don't just start putting in the commands... Read it all first since at first it says to use
Code: Select all
ssh-keygen -t rsa

but farther down the page it changes that (increasing it's strength) to this
Code: Select all
ssh-keygen -t rsa -b 4096


When you get to the part in the above titled "Password Authentication" it recommends disabling password authentication altogether. Which we will, but if you do it right now you wont be able to test FreeNX yet, as FreeNX requires it to be enabled to work by default. Disabling it will come later.
There is a link there for "strong passwords" this will come in handy it leads here:
http://help.ubuntu.com/community/StrongPasswords

Once you finish the instructions on that page you should be able to connect like before with:
Code: Select all
ssh -p 22 192.168.?.???

Again changing the port from 22 to what you made it and the IP Address to the one you gave the server
But without being prompted for a password.

SSH should now be setup, have a static IP Address, you should be able to connect to it by terminal without a password using the keys, and from another computer that doesn't have they keys with a password (at this point).

Tranferring files using a GUI (Graphical User Interface) like nautilus or krusader (this is Ultimate Edition so pick your favorite)

Nautilus (Ubuntu)
Places > Connect to server
Service Type: SSH
Server: IP Address of the server
Port: The port you set the server to
Folder: /home/<your-user-name-on-the-server>/ (this will have it open in your Home Folder on the server, you can set it to wherever you want it to open)
You can check the "Add Bookmark" box and it will show up under Places as Whatever you name it so you can just click on it like a folder.
Click on Connect

krusader (Kubuntu)
Tools > New Net Connection
Protocol: fish://
Host: IP Address of the server
Port: The port you set the server to
Username: Your username on the host computer
Password: Your password on the host computer
Click on Connect

I'm not sure how or if it can be done with Konqueror

Some others that can be used

gFTP
Host: IP Address of the server
Port: The port you set the server to
Username: Your username on the host computer
Password: Your password on the host computer
Select SSH2
Click on the icon to the left of Host that has 2 computers to connect (and disconnect)

Dolphin (also has a split view to work on 2 folders at one time)
Click on Networks on the left
Click on Add Network Folder
Select Secure shell (ssh)
Click on Next
Put in your Name
Put in your Username (username on the host computer)
Server: The IP Address of the server
Port: The port you set the server to
Folder: /home/<your-user-name-on-the-server>/ (this will have it open in your Home Folder on the server, you can set it to wherever you want it to open)
Encoding: Change to (Unicode UTF-8) or whatever works for you
Checking "Create an icon for this remote folder" is up to you
Click on Connect

Gigolo
Click on Connect
Service type: SSH
Server: IP Address of the server
Port: The port you set the server to
Username: Your username on the host computer
Click on Connect
The server will show up in the window (sftp for (username) on (IP Address of the server))


Installing FreeNX for the graphical remote desktop

The guide here: http://help.ubuntu.com/community/FreeNX is real good so just follow the parts in it for:

Installing the FreeNX server on Ubuntu Karmic (9.10)
Installing the NX Client
How to start/stop FreeNX
Configuring SSH port (some you have already done and you'll be using the port you gave the server earlier)
and
Using custom SSH keys
************
Note: When setting up the Custom Keys in FreeNX I just went with Create new custom keys and Authenticate via SSH. I am not familiar with the other options and I didn't write the wiki for FreeNX.
************
Thanks to Zalbor there is another option and I'll quote it here along with how it should change things.

You said to pick "SSH" authentication when running dpkg-reconfigure, and later on you change the node.conf file to disallow it and use another (PASSDB) first. You could simply choose "PASSDB" when reconfiguring.

My understanding is that if you follow those instructions you would NOT need to change these 2 lines in the /etc/nxserver/node.conf file as described in this how to and those being:
change
#ENABLE_PASSDB_AUTHENTICATION="0"
and
#ENABLE_SSH_AUTHENTICATION="1"
to
ENABLE_PASSDB_AUTHENTICATION="1"
ENABLE_SSH_AUTHENTICATION="0"

So disregard those changes if you choose "PASSDB" when reconfiguring.
Since I haven't tried it myself I'm leaving them in the how to for now until I'm sure they can be omitted. I probably wont upgrade this server for a while to try it out myself, so if you try it let me know how it goes.
*************

Once you finish that there are a few more things to do

Remember, we didn't disable password authentication in SSH.

So we're going to edit 2 files on the server (host)
/etc/ssh/sshd_config
and
/etc/nxserver/node.conf

So open a terminal.
Applications > Accessories > Terminal
and use:
Code: Select all
gksu gedit /etc/ssh/sshd_config

Hit Enter
Type in your password and hit Enter

(uncomment & change the following by removing the # and any space from the beginning of the lines.)
change
#PasswordAuthentication yes
to
PasswordAuthentication no
add
AllowUsers nx <yourusername> (yourusername is the name you use when logging in on the server normally, without the arrows <>)
UsePAM yes (already there at bottom place AllowUsers above this)


Save the file and close it then use:
Code: Select all
gksu gedit /etc/nxserver/node.conf


(uncomment & change the following by removing the # and any space from the beginning of the lines if you haven't already)
#SSHD_PORT=22 (change to the SSH port number and uncomment the line by removing the # sign)
change
#ENABLE_PASSDB_AUTHENTICATION="0"
and
#ENABLE_SSH_AUTHENTICATION="1"
to
ENABLE_PASSDB_AUTHENTICATION="1"
ENABLE_SSH_AUTHENTICATION="0"


Save the file and close it then use this to create a account on the NX server:
Code: Select all
sudo nxserver --adduser (yourusername)

(yourusername is the name you use when logging in on the server normally, without the brackets ())
NX server will reply with:

NX> 100 NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
NX> 1000 NXNODE - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
NX> 716 Public key added to: /home/yourusername/.ssh/authorized_keys2
NX> 1001 Bye.
NX> 999 Bye

and add a password again without the brackets ()

Code: Select all
sudo nxserver --passwd (yourusername)

NX> 100 NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
New password: (enter your NEW password here and hit Enter (It wont be displayed) see below)
Password changed.
NX> 999 Bye


(you can paste in a good long premade password which is what you will put into the freenx client so make it a good one you'll only need to put it into the FreeNX client for each profile once if you tick the save password in the configuration for (Home and Away)
I'm not sure how long it can be but it can handle at least 30 characters (and I think up to 64) see:
http://help.ubuntu.com/community/StrongPasswords

Don't forget to restart the sshd daemon after making that change using:
Code: Select all
sudo /etc/init.d/ssh restart


I am not sure if it is really necessary but I guess it can do no harm to restart to freenx server.
Code: Select all
sudo /etc/init.d/freenx-server restart


In Ubuntu the FreeNX client will be under Applications > Internet > NX Client For Linux > (take your pick, there is a wizard if you need it, I just use the top one).

Start the FreeNX Client and you should be able to connect the client to the server (host) on your LOCAL network using yourusername and the password you just created. Once you put in yourusername and the password then click on "configure", put the IP Address of the server (Host) where it says Host, put in the port # you gave SSH, tick the save password box and import the key file you created when installing FreeNX, then save at the bottom. Then OK then you should already have your username and password in there so Hit Login.

You should be able to connect over your LAN now. If not go back thru and check everything until you can.

You can have and save more than one profile so one for the LAN and one for accessing it from outside the LAN for EXAMPLES:
Home: the IP Address of the server (host) is used along with the SSH port #.
Away: the DynDNS .com address we will get later is used along with the port # we forwarded in the router "Port From" (above).

What's done and what's left to do:

SSH installed, configured and secured. (Done)
FreeNX installed, configured and secured. (Done)
Router configured to forward port to SSH server. (Done)
Static IP Address for server configured in router. (Done)

Now to set it up so we can access it from outside the LAN. That means from the Internet when we're away from home using the Laptop that we setup as the client.

If you have a STATIC IP Address from your ISP then all you will need to do is setup your Away profile under "Configure > General > Host" to point to that IP Address and put in the port you setup in DD-WRT's Port Forwaring "Port From" along with your username and password.

If your ISP gives you a Dynamic IP Address that changes then look in your routers DD-WRT setting under "Setup > DDNS". Enable it and you'll find a long list of services like DynDNS.org that you can use to setup a .com, .net, .org, etc. for free.

What these services do is you'll get url like "billybobsburgers.dydns.org" (That's just an example you get to pick the name). You'll put that info into your DD-WRT router and whenever your ISP changes your IP Address it will update so that "billybobsburgers.dydns.org" would still point to your router.

So pick one and go sign up for your url.

Then you just put your "billybobsburgers.dydns.org" url into the Away profile under "Configure > General > Host" and put in the port you setup in DD-WRT's Port Forwaring "Port From" along with your username and password that you created earlier. Tick the save password box and import the key file you created when installing FreeNX, then save at the bottom. Then OK then you should already have your username and password in there so Hit Login.

Now you should be able to logon using it from anywhere. You can try it without going anywhere since FreeNX is pointing to the url as host if everything is setup right it will work (with most routers, some wont let you do a loopback). If somethings not right it wont.

NOTES:

-----
How to start/stop/restart FreeNX

The FreeNX server is not a service but uses ssh. The following command will stop the FreeNX program from accepting connections.
Code: Select all
sudo /etc/init.d/freenx-server stop

(Replace stop by start for starting it again, or restart to simply restart it)
-----

How to start/stop/restart the SSH Server
Code: Select all
sudo /etc/init.d/ssh stop

(Replace stop by start for starting it again, or restart to simply restart it)
-----

If you don't plan on using the server anytime soon stopping FreeNX then SSH can only help your systems security
If you want to start them again start SSH first then start FreeNX

******

You can make other changes to the files if you want but here's the ones we've done.

On the Server

MODS TO /etc/ssh/sshd_config
#PORT 22 (change the number and remove the # before it)
change
#PasswordAuthentication yes
to
PasswordAuthentication no
add
AllowUsers nx (yourusername)
UsePAM yes (already there at bottom place AllowUsers above this)


MODS TO /etc/nxserver/node.conf
#SSHD_PORT=22 (changed to the SSH port number and uncomment the line by removing the # sign)
change
#ENABLE_PASSDB_AUTHENTICATION="0"
and
#ENABLE_SSH_AUTHENTICATION="1"
to
ENABLE_PASSDB_AUTHENTICATION="1"
ENABLE_SSH_AUTHENTICATION="0"

On the Client

MODS TO /etc/ssh/sshd_config
Changed the line
# Port 22
to
Port (the number of the SSH port you set on the server)

--------

Other things you can do

If you want a banner to be displayed whenever someone logs in thru a terminal a sample banner can be found here
http://help.ubuntu.com/community/SSH/OpenSSH/Configuring

On the server edit the /etc/issue.net
Code: Select all
gksu gedit /etc/issue.net

Type or paste your banner in it (it should be empty at first)
Save and close

On the server edit the /etc/ssh/sshd_config file
Code: Select all
gksu gedit /etc/ssh/sshd_config

Change
#Banner /etc/issue.net
to
Banner /etc/issue.net

Save and close

Don't forget to restart the SSH Server for it to take effect with
Code: Select all
sudo /etc/init.d/ssh restart

*******

Here's a good page to read
Top 20 OpenSSH Server Best Security Practices
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html

*******

Uninstalling if you decide you don't want it anymore

On the Client run
Code: Select all
sudo apt-get purge nxclient openssh-client


On the Server (Host) run
Code: Select all
sudo /etc/init.d/freenx-server stop
sudo /etc/init.d/ssh stop
sudo apt-get purge freenx openssh-server

Remove the firewall rule from the server.
Disable the Port Forward on the router.

Removing everything is sure easier than setting it up.

*******

Shadowing a running session and taking control of it.

To shadow the servers desktop with FreeNX.
All you have to do is in the NX Client go to Configure and set (everything is the same as earlier except).
Desktop: Set to Shadow

You'll have to play with the screen size a little but you can resize it once it's open.

When you click on Login you will get a Available sessions window.
Try the top one first and click on Attach.
if that doesn't work try the next one.
That's it.
;cheers

References:

Installing OpenSSH
http://help.ubuntu.com/9.10/serverguide/C/openssh-server.html

I wanted stronger keys so I followed this for the keys
http://help.ubuntu.com/community/SSH/OpenSSH/Keys

Strong Passwords
http://help.ubuntu.com/community/StrongPasswords

Installing FreeNX
http://help.ubuntu.com/community/FreeNX

Thread on FreeNX Security in the Ubuntu Forum
Secured freeNX using custom keys. But ssh now open
http://ubuntuforums.org/showthread.php?t=1062942

DD-WRT Static IP Address Leases
http://www.dd-wrt.com/wiki/index.php/Static_DHCP

DD-WRT Port Forwarding
http://www.dd-wrt.com/wiki/index.php/Port_Forwarding

Display Banner
http://help.ubuntu.com/community/SSH/OpenSSH/Configuring

Port Lists
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
http://www.iana.org/assignments/port-numbers
http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html

I hope that you enjoyed my how to and that you find it both useful and helpful. <BREW>

You can change the FreeNX window size by clicking the configuration button and setting the size at the bottom.
So here's a pic. of me running a bit torrent program on the server using FreeNX while transferring a file from the server to the client with Nautilus. The black is the clients panels and the grey is the servers panels and window.
Attachments
SSH-FreeNX.png
Image
HP G60-125NR - AMD Turion X2 64 - nVidia GeForce 8200M G - 128 GB SSD Dual boot - Ultimate Edition, Win 10 Pro
HP G60-121WM - AMD Sempron SI-40 - nVidia GeForce 8200M G - 128 GB SSD - Dual boot - Ultimate Edition, Win 10 Pro
Custom build, Rosewill Challenger ATX Gaming Case, AMD Phenom II x4 955 C3 rev., MSI 870A-G54, 2x ATI HD4850 512MB /256bit GDDR3 & dual precision, GSkill 8GB 1600 RAM - Multi boot - Ultimate Edition, Win 10 Pro, Beta Testing
User avatar
2hot6ft2
Moderator
 
Posts: 533
Joined: Sun May 25, 2008 12:30 pm
Location: Alabama, USA
Operating System: Ultimate Edition 3.2 64 BIT

Return to How To's (Do not post questions please)

Who is online

Users browsing this forum: No registered users and 7 guests